Example—ipsecinit.conf File

The Solaris software includes a sample IPsec policy file that you can
use as a template to create your own ipsecinit.conf file.
This sample file is named ipsecinit.sample and it contains
the following entries:

#
#ident "@(#)ipsecinit.sample 1.6 01/10/18 SMI"
#
# Copyright (c) 1999,2001 by Sun Microsystems, Inc.
# All rights reserved.
#
# This file should be copied to /etc/inet/ipsecinit.conf to enable IPsec
# systemwide policy (and as a side-effect, load IPsec kernel modules).
# Even if this file has no entries, IPsec will be loaded if
# /etc/inet/ipsecinit.conf exists.
#
# Add entries to protect the traffic using IPsec. The entries in this
# file are currently configured using ipsecconf from inetinit script
# after /usr is mounted.
#
# For example,
#
# {rport 23} ipsec {encr_algs des encr_auth_algs md5}
#
# Or, in the older (but still usable) syntax
#
# {dport 23} apply {encr_algs des encr_auth_algs md5 sa shared}
# {sport 23} permit {encr_algs des encr_auth_algs md5}
#
# will protect the telnet traffic originating from the host with ESP using
# DES and MD5. Also:
#
# {raddr 10.5.5.0/24} ipsec {auth_algs any}
#
# Or, in the older (but still usable) syntax
#
# {daddr 10.5.5.0/24} apply {auth_algs any sa shared}
# {saddr 10.5.5.0/24} permit {auth_algs any}
#
# will protect traffic to or from the 10.5.5.0 subnet with AH
# using any available algorithm.
#
#
# To do basic filtering, a drop rule may be used. For example:
#
# {lport 23 dir in} drop {}
# {lport 23 dir out} drop {}
#
# will disallow any remote system from telnetting in.
#
#
# WARNING: This file is read before default routes are established, and
# before any naming services have been started. The
# ipsecconf(1M) command attempts to resolve names, but it will
# fail unless the machine uses files, or DNS and the DNS server
# is reachable via routing information before ipsecconf(1M)
# invocation. (that is, the DNS server is on-subnet, or DHCP
# has loaded up the default router already.)
#
# It is suggested that for this file, use hostnames only if
# they are in /etc/hosts, or use numeric IP addresses.
#
# If DNS gets used, the DNS server is implicitly trusted, which
# could lead to compromise of this machine if the DNS server
# has been compromised.
#